Thursday, February 15, 2018

MANUFACTURING IN THE CLOUD: PART XI: "SECURITY OF THE CLOUD" VS. "SECURITY IN THE CLOUD"

This blog is part of a series called Manufacturing in the Cloud. This series aims to assist manufacturing organizations to evaluate how they can overcome challenges and maximize cloud computing benefits. As cloud computing services mature both commercially and technologically, this is likely to become relatively easier to achieve.

In many cases, the most valuable asset of a manufacturing organization, besides its people, is its business data. Data assets in the cloud are under constant threats in the form of data breaches, data corruption and destruction, temporary or permanent loss of access, and temporary or permanent loss of data. Have some of these issues ever happened to your manufacturing organization?

Any of these issues can have serious consequences since they can cause failure to meet statutory, regulatory or legal requirements. By keeping in mind previously mentioned concerns about loss of visibility over resources in the cloud, do you still feel the same level of fear?

If you do, please stay tuned and continue to read this blog. We need to discuss a few more things to dispel the fear.
As said in the previous blog, cloud computing is about consolidating software and data resources and in this process manufacturing organizations are losing control over those resources. Moving to the cloud still provides many challenges for manufacturing organizations to overcome, but smooth transition is possible and definitely without fear.

YOUR RESPONSIBILITY VS THEIRS

One of the most difficult challenges for both a manufacturing organization and a CSP is how to protect software applications and data. In many instances, it is not clear who is responsible for software and data security and regulatory compliance in the cloud; the manufacturing organization as the Cloud Service Customer (CSC), the Cloud Service Provider (CSP), or both.

The most common and most critical question posed by manufacturing organizations evaluating the benefits of cloud computing and moving sensitive data and business critical software applications to the cloud is, "Who is responsible for software and data security and regulatory compliance in the cloud?"

What about you? Do you know the answer? Let's talk more and we can get the answer together.

First of all, when considering software applications and data assets in the cloud, manufacturing organizations must understand a general concept of shared responsibility between service providers (CSPs) and customers (CSCs). While CSP manages "security of the cloud", "security in the cloud" is the responsibility of the customer (i.e. the manufacturing organization).

This means the manufacturing organization will retain control of what security they choose to implement to protect data and software applications no differently than they would manage it with on-premises infrastructures. This concept is critically important to remember.

Manufacturing organizations that have decided to outsource their IT services and critical resources to the cloud, should also be concerned about vendor lock-in. This situation is characterised as a dependency on the Cloud Service Provider to maintain the manufacturer’s business operations that includes data and software applications.

Manufacturing organisations must define the clear exit strategy and avoid any proprietary technologies and standards wherever and whenever possible. Please, don't make any agreement with any CSP if you are not clear what your exit strategy is. This is the tool you have to have in your toolbox! If things go wrong, you might need to change your CSP, or simply realize that cloud computing is not the best option for your manufacturing organization and decide to move your IT services and resources back on-premises.

Goran Novkovic, CQA, CSQE, ITIL, APM, PMP, PEng
Goran Novkovic has over 15 years of experience in various regulated industry sectors. His expertise is in industrial control systems (ICS) cybersecurity, control systems engineering, computer systems validation, software security and test management, cloud security and regulatory compliance. Goran has a formal education in Electrical Engineering and Project Management and possesses a master's degree in Information Technology. He has number of professional licenses and designations. He is holder of CQA (Certified Quality Auditor) and CSQE (Certified Software Quality Engineer) certifications with ASQ (American Society for Quality). Goran is certified ITIL, certified Agile Project Manager and Project Management Professional with PMI (Project Management Institute). He is licensed Professional Engineer with PEO (Professional Engineers Ontario). Goran is focused on ICS cybersecurity and he is helping organizations to establish ICS cybersecurity governance and develop effective ICS cybersecurity programs from scratch. E-mail contact: goran@valiver.com